5 Overlooked IT Risk Management Issues That Can Bite You In The Budget

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/sungardas/2015/04/22/5-overlooked-it-risk-management-issues-that-can-bite-you-in-the-budget/

We all know what an ideal budget looks like: every factor is neatly
categorized as its own line item, strategic initiatives are fully funded,
all the numbers balance, and nothing ever changes throughout the fiscal
year. When it comes to budgeting for Information Technology (IT) risk
management, every possible issue has been identified and provided for.

Now, let’s talk about reality.

The cold, stark reality of IT budgeting is that there are plenty of IT risk
management issues that can easily be overlooked … and end up biting you in
the budget. Here are five to put on the agenda for your next IT staff
meeting so that you don’t find yourself footing an unexpected (and nasty)
bill later in the fiscal year.

1. Assess third-party technology availability carefully

A lot of companies today have integrated supply chains which incorporate
third-party IT technology partners – ITaas, IaaS, PaaS, SaaS … the list of
“as a service” offerings continues to grow.

These third-party vendors are of critical importance in the supply chain;
unfortunately, IT is often guilty of not funding assessments to explore the
risks their third-party partners might represent, or to find out what would
happen if those third parties experience a technology availability failure.

Think about it for a moment: what would happen if a critical software
application went down? Or if your infrastructure was unavailable for an
hour … or six hours … or 24 hours? Most likely, the repercussions would be
felt up and down the supply chain, from the top executive to the final
customer.

The solution is that you need to go beyond a “check the box” mentality when
you ask about your third parties’ business continuity and disaster recovery
(BC/DR) plans. You need to probe deeply into exactly what those BC/DR plans
consist of, how they can ensure availability despite an event taking place,
and how the vendor has validated the effectiveness of those plans. Anything
less than solid proof of availability has the potential to come back and
bite you in the budget.

2. Understand all your interdependencies

Interdependencies multiply constantly in today’s business environment.
Applications, platforms, infrastructures, systems, networks … all combine
to create a veritable spider web. Touch one silvery filament, and the
tremor can be felt in a dozen seemingly unrelated areas.

It’s vital for IT departments to understand every strand and juncture of
this spider web so that they have a valid and comprehensive perspective on
how an issue in a given area would impact the supply chain – and plan
accordingly.

Take a classic example: a company has a legacy infrastructure supporting a
mission-critical application designed to be continuously available. But the
legacy infrastructure itself can’t meet the necessary availability
requirements. Because of this interdependency, the application is at risk,
as is everything that relies upon it. The IT department needs to take
action to replace or harden the legacy infrastructure to bring it “up to
code.”

There are a lot of platforms, applications, etc. today that are out of
alignment with business requirements. They may be working fine right now,
but they cannot guarantee the continuous availability business demands. IT
needs to search these out and fix them to get in sync with today’s business
landscape.

3. Decide what to do after a breach

There is a lot of emphasis today on threat analysis and prevention – and
rightly so. But breaches can and do happen, despite an IT department’s best
efforts. If a company experiences a breach, it costs. However, it will cost
a lot more if IT hasn’t taken the time to decide what to do in the
aftermath of a security breach.

This is the area of cyber incident management. What is IT’s response plan
to a breach? How will they minimize the effects of a breach? When will they
perform appropriate forensic work to identify what happened and prevent it
from recurring? Does IT need to re-evaluate their spend to better manage
customers or internal stakeholders in the event of a breach? The reactive
measures following a breach for new software, consulting services, and IT
infrastructure appliances can greatly impact an IT budget unexpectedly.
Proactive planning around a breach and the reaction to it can help limit
the unplanned costs for IT if an event were to happen.

4. Consider disaster recovery when engaging in application/systems
development

Application/systems development takes place in a pristine sandbox. There
are no unplanned outages, no business interruptions, no hacks. Then, the
application/system is deployed in the real world and – surprise, surprise –
things are no longer so rosy. The first incident typically wreaks havoc on
the application/system and everything downstream of it.

IT needs to build disaster recovery (DR) into the software development life
cycle (SDLC) process when engaging in application/systems deployment.
Vulnerabilities should be explored and mitigated while still in the
“sandbox” phase so that the appropriate upfront budgeting can be justified
as part of the development process. This will require changes to the
initial scope and budget of the project, but the costs are far less than
either retrofitting recovery into the application/system after it has been
deployed or, worse, repairing disaster damage on the backend.

5. Keep up to date with change management requirements

Weak IT change management discipline always costs in the long run.
Applications and systems may be running with outdated or non-supported
software or infrastructure versioning. Production environments get
out-of-sync with recovery environments. Security updates and patch
implementation lag behind.

In every case, risk increases. And with increased risk, the probability of
a problem – be it a hack, a software failure, a botched recovery, a broken
interface, etc. – gets higher. So to avoid having to explain an unplanned
capital expense, it is in IT’s best interest to be rigorous about change
management across ALL aspects of IT.

No one likes surprises – particularly when they involve money. By taking
these five often-overlooked IT risk management issues into consideration,
you can avoid a multitude of unpleasant situations that could bite you in
the budget.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!